[Pdns-users] [MARKETING] Re: How to make Authoritative work?
Nejedlo, Mark
Mark.Nejedlo at tdstelecom.com
Tue Jan 18 17:00:28 UTC 2022
Are you per chance expecting the AUTHORITY section to be populated? PowerDNS doesn't do that. Per the FAQ:
https://doc.powerdns.com/authoritative/appendices/FAQ.html#powerdns-does-not-give-authoritative-answers-how-come
--
PowerDNS does not give authoritative answers, how come?
This is almost always not the case. An authoritative answer is recognized by the ‘AA’ bit being set. Many tools prominently print the number of Authority records included in an answer, leading users to conclude that the absence or presence of these records indicates the authority of an answer. This is not the case.
Verily, many misguided country code domain operators have fallen into this trap and demand authority records, even though these are fluff and quite often misleading. Invite such operators to look at section 6.2.1 of RFC 1034, which shows a correct authoritative answer without authority records. In fact, none of the non-deprecated authoritative answers shown have authority records!
--
Mark
> -----Original Message-----
> From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> On Behalf Of
> Brian Candler via Pdns-users
> Sent: Tuesday, January 18, 2022 10:21 AM
> To: jrd-pdns at jrd.org
> Cc: pdns-users-ml <pdns-users at mailman.powerdns.com>
> Subject: [MARKETING] Re: [Pdns-users] How to make Authoritative work?
>
> External Email: For information security purposes, this email came from
> an external source and any attachments or links should be treated with
> caution.
>
> On 18/01/2022 15:03, jrd-pdns at jrd.org wrote:
> > Let's get back to my original question: How do I get pdns, with no
> > recursor in the picture, to believe that it's authoritative for a
> zone?
>
> (Presumably by "pdns" you mean "pdns authoritative server")
>
>
> > When I it hit with a query, I get
> >
> > root at f3-kong-dyndns /etc/powerdns # dig -p 5300 jrd.org soa @localhost
> >
> > ; <<>> DiG 9.16.22 <<>> -p 5300 jrd.org soa @localhost
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37408
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
>
> That looks right to me. flags: aa = authoritative answer set on the
> reply. What do you expect to be different?
>
> If you want to avoid the "recursion requested but not available"
> warning, use dig +norec
>
> dig +norec -p 5300 jrd.org. soa @localhost
>
> Note that if the server wasn't authoritative for the requested zone, it
> would reply to the query with REFUSED.
>
> _______________________________________________
> Pdns-users mailing list
> Pdns-users at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/pdns-users
More information about the Pdns-users
mailing list